How to Configure VSFTPD FTPS with SSL/TLS on Ubuntu 18.04

FTP, the acronym of File Transfer Protocol, is used to transfer files between computer and server in a given computer network. FTP protocol uses insecure way of data transfer and should be limited to the network where you trust. Instead, we should have FTPS (File Transfer Protocol with SSL) which use SSL secure connection between the two ends or use SFTP (SSH File Transfer Protocol/Secure File Transfer Protocol).

This article provides detailed steps on how to configure secured vsftpd server with SSL/TLS on Ubuntu 18.04 and connect to the server using a terminal and GUI tools.

Install VSFTPD server

There are several FTP servers available on Linux. We are going to install vsftp. To do that on Ubuntu 18.04 we type the following command in the terminal:

sudo apt install vsftpd

Once the vsftpd is installed, it's default configuration file is located in /etc/vsftpd.conf. To make changes with that file and test custom configurations, we create a backup of this file at first. To do so you can run:

Note that these are most common used configurations and you are free to change them according to your needs.

Ubuntu 18.04 is coming with ufw(Uncomplicated firewall) preinstalled and enabled. You can check if ufw is running on your machine with this command:

sudo service ufw status

If it's running and you are going to leave it running, you must allow incoming traffic for to FTP ports (20,21 for active connections and 10000-10100 for passive ones). To do so you can run:

sudo ufw allow from any to any port 20,21,10000:11000 proto tcp

If successful, the output will be like the one below:

Rules updated
Rules updated (v6)

After all this steps are done, we need to restart the vsftpd server withe the following command:

sudo service vsftpd restart

Creating user to connect to FTP server

Once vsftp server is installed and configured according to our needs, we need no create a user (e.g. ftpsuer) to connect to ftp server. To do so you can run:

sudo useradd -m ftpuser

Create password for newly created user with the command below:

sudo passwd ftpuser

After you'll be prompted to enter new UNIX password and retype it for changes to be applied. Successful output looks like this one:

passwd: password updated successfully

Prepare FTP user directory

One of the most important actions that need to be done to secure FTP connection is to restrict users to their home directory so that they have no access to other directories at all. To do so in vsftpd we need to enable chroot in configuration file, which we already did in configurations part of the article (chroot_local_user=YES). The way of vsftpd's directory security assumes user doesn't have write access to it. But if we are giving FTP access to existing users and they are using shell to use server, they may need to have write access to their home folder. To avoid security lack and also have proper FTP access for user we create an ftp folder in user's home directory and add it to vsftpd configuration as local root when connecting via FTP. Also we need to change ownership of the directory and remove write access. To do so you can run:

sudo mkdir /home/ftpuser/ftp

sudo chown nobody:nogroup /home/ftpuser/ftp

sudo chmod a-w /home/ftpuser/ftp

then add/change the following lines in vsftpd configuration file /etc/vsftpd.conf

user_sub_token=$USER
local_root=/home/$USER/ftp

After these steps are done we need to create another folder in /home/ftpuser/ftp and assign its ownership to the user

sudo mkdir /home/ftpuser/ftp/files

sudo chown ftpuser:ftpuser/home/ftpuser/ftp/files

To test that we are able to view files in user's home directory after connecting to FTP server, we are going to create test file in that directory and add some text in it. To do so you can run:

If userlist_deny is set to NO, only users added to the file can access FTP server and if it is set to YES, users listed in the file will have no access to FTP server and others will have access. Add usernames to the mentioned above file with the command below:

echo "ftpuser" | sudo tee -a /etc/vsftpd.userlist

Configure SSL for VSFTPD

Since data (even credentials) transferred via FTP isn't encrypted, we can enable TLS/SSL to provide another level of security to our FTP server. To create a certificate using openssl, run the following:

where -days 365 is for adding certificate for one year and adding same value for -out, -keyout flags to locate the private key and the certificate in the same file. You'll be prompted to add all necessary information to create certificate, like it's shown below

Generating a 2048 bit RSA private key
.................+++
..............................................................................................+++
writing new private key to '/etc/ssl/private/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:SY
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linoxide
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ubuntu
Email Address []:[email protected]

After the certificate is created we need to add it to vsftpd config file and enable SSL. To do so, add the following line to the mentioned file:

rsa_cert_file=/etc/ssl/private/vsftpd.pem

rsa_private_key_file=/etc/ssl/private/vsftpd.pem

ssl_enable=YES

After we need to deny anonymous connections over SSL and to require SSL for data transfer and login. To do so add the following lines to /etc/vsftpd.conf file:

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

Once the lines above are added, we'll configure the server to use TLS, which is the preferred successor to SSL. To do so, add the following lines in the same file:

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

After all the steps our vsftpd configuration file will look like this:

After any change in the vsftpd's configuration file we need to restart the service by the following command:

sudo service vsftpd restart

You could also configure vsftpd to use letsencrypt certificate for sftp but make sure you have a domain to validate. You could add path variable in the vsftpd configuration where ssl cert and private is key stored.

Connect using FTP client with GUI

We are going to use Filezilla to connect to our FTP server installed on Linux. To do so open the Filezilla client on your machine and enter the FTP server IP address, ftpuser credentials to connect and press connect button like it's shown in the screenshot below. You will be prompted to add the certificate to trusted, after which you'll be able to connect to FTP server.

After connecting we can see that the test.txt that we created before is there.

As you can learn from the article, installing vsftpd server and connecting to it is very easy and can be done in a few steps. The main point here is to secure ftp server via it's configuration file like chrooting the user to its home directory, disabling anonymous login and adding local umask and user read and write permissions.

Hand-picked related articles

Echofish is a freeware, open source tool which provides the capability to monitor your system logs using your web browser and in an easy to understand format. Log file analysis is not an easy task, especially if you have to [...]

In this article, we're going to look at how to get ConkyMatic up and running Arch Linux. ConkyMatic is a Linux tool written in Bash to be used as an automatic color scheme changer for conky. It changes the color scheme [...]

Its been long time reclaiming space on a block level storage , been alerting and frustrating for all who work on storage side. Block storage only knows about areas of a volume that have ever been written . If later [...]